httpd-dev mailing list archives

> > I can't see any side-effect after commenting out both
> > free_env() calls after cgi_stub()
> >
> > The core dumping stops.
>
> hmm, the original mail has vanished...
>
> I was seeing
>
> httpd: caught SIGBUS, dumping core
>
> after a script successfully redirected to another script or to
> a html which included cgi.
>
> calls to free_env() after a call to cgi_stub() were the cause.
>
> thoughts anyone ?
>
> robh
Yuk Yuk Yuk. The fault is in make_env(), which wasn't done any favours by
E25_custom_responses.txt.
It allocates a new array (newenv) larger than env, copies the pointers
across, and _frees the old env_. i.e. (simplified)
char **new_env(char **env, int to_add, int *pos)
{
int x;
char **newenv;
for(x=0; env[x]; x++);
newenv = (char **)malloc((to_add+x+1)*(sizeof(char *)));
for(x=0; env[x]; x++) newenv[x] = env[x];
*pos = x;
free(env);
return newenv;
}
Some parts of the CGI code and server-side includes code contain, essentially:
(see send_parsed_file and exec_cgi_script)
{
env = new_env(in_headers_env, ..)
[add more headers to env]
[use env]
free_env(env)
}
Net result; in_headers_env, the global created by get_mime_headers(), is
free'd, as are all the strings it contained. Better not try and use it again,
especially after calling malloc()...
I don't think E25 helped the situation; this changed new_env to do
char **new_env(char **env, int to_add, int *pos)
{
...
*pos = x;
free(env);
in_headers_env = newenv;
return newenv;
}
which will make it even more likely that the global gets trashed.
Solution:
1 Rob: remove your terrible hack to new_env, instead change the calls to
new_env to updated in_headers_env where appropriate.
2 Split new_env into two routines.
a) enlarge_env, for modifying an environment; this would free the
env pointer passed to it
b) dup_env, for duplicating an environment; this would strdup all the
environmnent strings, as well as the pointer array, and _not_ free
the original pointer array.
David.